|
Law in the Internet Society
|
|
Mandatory data retention in Australia: a case study of a (further) proposed assault on privacy-- By GillianWhite - 14 Nov 20121. The proposalIn May 2012, the Australian Government announced an inquiry into potential reforms to national security legislation. The asserted basis was that Australia needs to ‘ensure our national security capability can evolve to meet emerging threats, while also delivering the right checks and balances ….’ One proposed reform is a mandatory data retention law. The data retention proposal is vaguely described in the Government’s discussion paper as ‘[a]pplying tailored data retention periods for up to 2 years for parts of a data set, with specific time-frames taking into account agency priorities, and privacy and cost impacts.’ This proposal has alarmed many and led the Attorney-General to provide further information on the Government’s position in a letter to the Parliamentary Committee considering the reforms. This letter makes it clear that the proposal’s inspiration is the highly controversial EU Directive on mandatory data retention. The EU Directive obliges providers of ‘publicly available electronic communications services or of public communications networks’ to retain certain data for criminal investigations. The objective applies to ‘traffic and location data … and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content of electronic communications…’ In the rest of this paper, I will analyze how the Australian proposal (like the EU directive) presents a significant, further threat to the three elements of privacy that have been discussed in our course: anonymity; secrecy and autonomy. I will also discuss some broader ramifications.2. Undermining anonymity, secrecy and autonomyA mandatory data retention scheme will undermine anonymity on the net for all Australians and all those communicating with Australians. As explained by the Electronic Frontier Foundation, the central tenet of data retention schemes is that ISPs, telephony providers etc are obliged to keep data including the records of IP address allocations to individuals and must, on request, give the government access to these data. This means that every person’s anonymity will be compromised by ISPs and phone carriers even where the government never requests this information: not only will that compromise be permitted, it will be legally required. Several industry players and civil liberty groups have raised the legitimate concern that mandated data retention may increase security risks for personal data, as each ISP will have to retain central repositories for lengthy periods of time (up to two years). Furthermore, there is no suggestion that officials’ requests for this information will require a warrant and so it is inevitable that government’s access will be over-inclusive (in terms of disregarding more individuals’ autonomy) than could feasibly be required for serious criminal investigations. The Attorney-General and the security apparatus in Australia have argued that a mandatory data scheme would not apply to the content of communications and, when pressed, have said that web-browsing history is content. However, it is clear that a mandatory retention law compromises the secrecy of private communications for anyone not using encryption technology. There will be ‘fuzzy’ lines to draw as to what constitutes ‘content’. That fuzziness may chill communications. Additionally, the distinction between ‘meta data’ and content data is the kind of legal nicety that does not fit with the technological reality. Reports on the wide-ranging retention and use of location tracking data, which were graphically illustrated by German politician, Malte Spitz, provide real life examples which are difficult to refute. Finally, a mandatory data scheme would be a significant (but hardly discussed) blow to Australians’ autonomy to live their lives without the knowledge, or the suspicion, that they are being watched. This will almost certainly not be a focus of the political debate—even though there are cries of ‘police state’—as Australians generally have no direct experience of widespread government surveillance. Further, Australia does not have a bill of rights and has not adopted the US concept of privacy-as-autonomy. It remains to be seen whether the holding of private information by both private companies and the government, as a matter of course, will awake more people from this complacency3. Further implicationsIt is unclear whether the Australian Government will follow through with a mandatory data retention law. The EU precedent, the claims that this is a terrorism and crime-busting measure like the US FISA Amendment Acts 2008, and the absence of a constitutional right to privacy, suggest that it has a very strong chance of being enacted. The Government earlier this year passed a law enabling agencies to provide foreign law enforcement agencies with existing and prospective telecommunications data held or generated in Australia, ahead of a warrant being issued. An Australian data retention law would furnish another precedent for lawmakers, not only in Australia but also around the world, demonstrating how to require everyone’s information to be held, not just the information of those implicated in alleged crime. Reflecting on our class’s discussions of private entities use of information, I think it is noteworthy that the policy analysis in Australia has not taken into account what kind of private actor behavior such a law will encourage. We already know that companies are collecting clients’ data to track consumers, target advertising and trade information with others. If government mandates the collection and retention of this information, it is likely that more players will come along to this information-collection-party. Some ISPs in Australia have complained that it will be costly for them to retain all this information. Even assuming that the costs are great (which may be doubted), it is not difficult to see an ever-increasing alignment between the government’s requirements and a commercial interest in retaining and using that information for other purposes as well. A law which directly allows both private actors and the government to undermine all citizens’ privacy is arguably never justifiable. This should not be obscured by generic claims of ‘national interest’.You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:
|
|
